Privacy Policy

Last updated: March 4, 2026

PopSmart ("we", "us", or "our") operates the PopSmart application available on the Shopify App Store. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you install and use our application.

1. Information We Collect

1.1 Store Data via Shopify API

When you install PopSmart, we access the following data through the Shopify API with your explicit permission:

  • Product catalog — product names, descriptions, variants, prices (including sale prices), images, tags, and custom metadata
  • Order history — up to 180 days of order data including order totals, line items, and customer IDs (used for co-purchase analysis and product recommendations)
  • Discount information — active discount codes, automatic discounts, and buy-X-get-Y offers
  • Store settings — shop name, domain, currency, and locale

1.2 Merchant Information

We collect information you provide directly:

  • Shopify store domain and admin email (via OAuth)
  • Customization preferences (avatar, theme, tone of voice, trigger settings)
  • Billing and subscription information (managed through Shopify's billing API)
  • Support ticket communications

1.3 Visitor Behavior Data

PopSmart observes anonymous, page-level visitor behavior on your store:

  • Page views and product views
  • Cart additions and cart state
  • Scroll depth and engagement signals
  • Time spent on pages
  • Exit intent signals

We do NOT collect: personal names, email addresses, physical addresses, payment information, or any other personally identifiable information (PII) of your store visitors. All visitor tracking uses anonymous session-based identifiers that are cleared when the browser tab is closed.

1.4 Automated Logging

We automatically log:

  • Impression events (when a message is shown to a visitor)
  • Click and conversion events (anonymous, for AI learning)
  • Error logs and performance metrics (via Sentry)

2. How We Use Your Information

  • AI message generation — your store data provides context for generating personalized, relevant messages for visitors
  • Self-learning optimization — impression and click data is analyzed daily to improve message effectiveness
  • Product recommendations — order history is analyzed to identify co-purchase patterns for bundle suggestions
  • Billing and account management — tracking usage against your plan limits
  • Merchant communications — sending performance reports, usage alerts, and operational notifications (with opt-out per category)
  • Service improvement — aggregated, anonymized analytics to improve PopSmart

3. Third-Party Services

We use third-party services to operate PopSmart, including:

  • AI message generation — we use AI to generate contextual messages. The AI receives anonymized store context only; no visitor personal information is shared.
  • Email delivery — merchant emails (performance reports, billing alerts) are sent through a trusted email delivery provider.
  • Cloud infrastructure — our services are hosted on secure cloud infrastructure with industry-standard protections.

These services process data only as necessary to provide their specific function and are bound by their own privacy policies and data processing agreements.

4. Data Retention

  • Store data cache — continuously synced and refreshed; deleted upon app uninstall
  • Order history — up to 180 days, refreshed on sync cycles
  • Impression data — retained for AI learning and performance reporting; deleted upon app uninstall or GDPR request
  • Account data — retained while your subscription is active; deleted within 30 days of app uninstall per Shopify's shop/redact webhook

5. GDPR and Data Subject Rights

PopSmart fully complies with GDPR and Shopify's mandatory compliance requirements. We implement all three required webhooks:

  • Customer Data Request (customers/data_request) — we export all data associated with a customer within 30 days
  • Customer Data Erasure (customers/redact) — we delete all customer-associated data within 30 days
  • Shop Data Erasure (shop/redact) — we delete all store data after the merchant uninstalls the app

As a data processor, we act on behalf of merchants (data controllers). If a store visitor wishes to exercise their data rights, they should contact the merchant directly.

6. Data Security

We take the security of your data seriously. All data is encrypted in transit, access is restricted to authorized services only, and we follow Shopify's security best practices for app development.

7. Children's Privacy

PopSmart is a B2B service for Shopify merchants. We do not knowingly collect information from children under 13.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify merchants of material changes via email or in-app notification. Continued use of PopSmart after changes constitutes acceptance of the updated policy.

9. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: team@popsmart.ai